Skip to content

libpod: hasCurrentUserMapped checks for gid too #24167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 1 commit into from
Oct 4, 2024
Merged

libpod: hasCurrentUserMapped checks for gid too #24167

openshift-merge-bot merged 1 commit into from
Oct 4, 2024

Conversation

@giuseppe
Copy link
Member

@giuseppe giuseppe commented Oct 4, 2024

the kernel checks that both the uid and the gid are mapped inside the user namespace, not only the uid:

/**

  • privileged_wrt_inode_uidgid - Do capabilities in the namespace work over the inode?
  • @ns: The user namespace in question
  • @idmap: idmap of the mount @iNode was found from
  • @iNode: The inode in question *
  • Return true if the inode uid and gid are within the namespace. */ bool privileged_wrt_inode_uidgid(struct user_namespace *ns,
    struct mnt_idmap *idmap,
    const struct inode *inode)
    {
    return vfsuid_has_mapping(ns, i_uid_into_vfsuid(idmap, inode)) &&
    vfsgid_has_mapping(ns, i_gid_into_vfsgid(idmap, inode));
    }

for this reason, improve the check for hasCurrentUserMapped to verify that the gid is also mapped, and if it is not, use an intermediate mount for the container rootfs.

Closes: #24159

Does this PR introduce a user-facing change?

None

@giuseppe
libpod: hasCurrentUserMapped checks for gid too
e46ae46 
the kernel checks that both the uid and the gid are mapped inside the
user namespace, not only the uid:

/**
 * privileged_wrt_inode_uidgid - Do capabilities in the namespace work over the inode?
 * @ns: The user namespace in question
 * @idmap: idmap of the mount @iNode was found from
 * @iNode: The inode in question
 *
 * Return true if the inode uid and gid are within the namespace.
 */
bool privileged_wrt_inode_uidgid(struct user_namespace *ns,
				 struct mnt_idmap *idmap,
				 const struct inode *inode)
{
	return vfsuid_has_mapping(ns, i_uid_into_vfsuid(idmap, inode)) &&
	       vfsgid_has_mapping(ns, i_gid_into_vfsgid(idmap, inode));
}

for this reason, improve the check for hasCurrentUserMapped to verify
that the gid is also mapped, and if it is not, use an intermediate
mount for the container rootfs.

Closes: containers#24159

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@openshift-ci openshift-ci bot added release-note-none approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Oct 4, 2024
@giuseppe giuseppe mentioned this pull request Oct 4, 2024
Closed
@packit-as-a-service
Copy link

packit-as-a-service bot commented Oct 4, 2024

Ephemeral COPR build failed. @containers/packit-build please check.

Luap99
Luap99 approved these changes Oct 4, 2024
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 4, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, Luap99

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mheon
Copy link
Member

mheon commented Oct 4, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 4, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit 1f7fe1d into containers:main Oct 4, 2024
@edsantiago edsantiago mentioned this pull request Oct 9, 2024
Open
@stale-locking-app stale-locking-app bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Jan 3, 2025
@stale-locking-app stale-locking-app bot locked as resolved and limited conversation to collaborators Jan 3, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Luap99 Luap99 Luap99 approved these changes

Assignees

@mheon mheon

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. release-note-none

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Rootless --userns=auto fails when mapping UIDs >=1 without also mapping GIDs (OCI permission denied)

3 participants

@giuseppe @mheon @Luap99